CVE-2025-28062

Published: May 5, 2025Modified: Jun 17, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in ERPNEXT 14.82.1 and 14.74.3. The vulnerability allows an attacker to perform unauthorized actions such as user deletion, password resets, and privilege escalation due to missing CSRF protections.

Affected (2)

Products: Frappe: Erpnext

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Frappe Erpnext	Version 14.74.3
Frappe Erpnext	Version 14.82.1

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://github.com/Thvt0ne/CVE-2025-28062

Source: cve@mitre.org

Exploit

https://github.com/frappe/erpnext

Source: cve@mitre.org

Product

Timeline

No history available yet.